Tool Developer: Scott Mathis, CPA, CISA & CISSP | | github.com/smathis | linkedin.com/in/smathis | twitter.com/smathis | smathis.github.io/unsur

Analysis

Overview


Scope

Scope Table
Assets at risk
Containers/Points of attack
Threat communities
Threat Types
Effects
Included Excluded Included Excluded Included Excluded Included Excluded Included Excluded
Non Public Information (NPI) Other Other devices on Palm Domain RBC Bank US AD Systems privileged insiders (RBC Bank US & Vendors) non-privileged insiders (RBC Bank US & Vendors) deliberately Mechanical confidentiality integrity
SFQ0 Risk Reporting Server on RBC Bank Palm Domain RBC Bank US SMTP Systems malicious software Adversarial Process Failure availability
SFQ0 Risk Reporting Server on Palm-Domain RBC Bank US Networking and FW Systems external attackers Natural theft
Database instance on SFQ0 Risk Reporting Server RBC Bank US Vulnerability Scanner Systems accidentally fraud
RBC Bank US sysadmin jump stations on Palm-Domain RBC Bank US Vendor Access Non Adversarial
Monitored servers on Palm Domain RBC Bank US Replicated DR Equivalent Systems
Monitored servers on Maple-Net RBC Bank US Backup Systems
RBC Bank US Distributed File System (DFS )Systems
RBC Bank US Endpoint Security Management Server
RBC Bank US Endpoint Management Server
RBC Bank US Hypervisor Server

Areas were excluded as was considered reasonable and appropriate with the resources provided and time constraints set but do make up the larger system of supporting technologies. The private subnet chosen for most components is RBC Bank’s subnet called “Palm Domain”.

Projection The net value after factoring in costs, benefits, losses, and mitigation costs over 1 year, 2 year, and 3 years.

Plan A Expected

Year 1 Year 2 Year 3
Benefits $65,723 $131,446 $197,170
Costs $55,142 $58,042 $60,941
Loss $539,548 $1,079,097 $1,618,645
Mitigation Costs $0 $0 $0
Prevented Loss $0 $0 $0
Net -$528,967 -$1,068,516 -$1,608,064

Plan B Expected

Year 1 Year 2 Year 3
Benefits $65,723 $131,446 $197,170
Costs $55,142 $58,042 $60,941
Loss $241,962 $483,925 $725,887
Mitigation Costs $5,386 $5,386 $5,386
Prevented Loss $297,586 $595,172 $892,758
Net $60,819 $116,442 -$720,692

Plan C Expected

Year 1 Year 2 Year 3
Benefits $65,723 $131,446 $197,170
Costs $55,142 $58,042 $60,941
Loss $213,849 $427,697 $641,546
Mitigation Costs $49,221 $49,221 $49,221
Prevented Loss $325,700 $651,400 $977,099
Net $73,211 $185,062 -$764,527


Given the net value after factoring in known initial and recurring costs of this project as well as the project’s known benefits, potential losses due to risks, and control mitigation costs, RBC Bank US can expect to spend more resourcs on security controls to operate the FIS Profile solution than gain equivalent value over at least the fist 3 years.

Benefits Parameters provided by experts to approximate benefits of this project

Benefits Table
Benefit UID Benefit Event Benefits Probability Benefits Lower Bound Benefits Most Likely Benefits Upper Bound Benefits Rationale Benefits Recurring_Ben
benefit-1 System performance monitoring and alerting to prevent outages where possible and reduce outage duration. 90% $6,348 $18,229 $171,875 LowEnd = .5 hrs of outages for 150 employees making 75k+30%bens, MostLikely = 1 hrs of outages 200 emps making 100k+30%bens, HighEnd = 4 hrs outages 300 emps making 300k+30%bens, TRUE
benefit-2 Remote command execution via performance agent. 50% $30 $2,000 $200,000 Assumes Upper Bound is cost of one FTE. Not part of original use-case but may be used. TRUE

The benefits of this project take the form of prevented outages and reduction of outage events. The value is estimated based on the wages of personnel who would be unable to work due to an outage that this solution would prevent but who would still be paid according to their normal work hours. A potential benefit also factored in is prospective use of the solution’s alternative functionality of remote system control. This has the potential to save systems administrators time though it is uncertain so is given a probability of providing value of 50% per year.

Costs Parameters provided by experts to approximate the costs of this project.

Costs Table
Known Costs UID Known Cost Event Known Costs Lower Bound Known Costs Most Likely Known Costs Upper Bound Known Costs Rationale Known Costs Recurring Expense
cost-1 Product (SFQ0 Risk Reporting) direct purchase costs $19,790 $19,790 $19,790 Actual Contract FALSE
cost-2 Product (SFQ0 Risk Reporting Server) support and pro services $0 $0 $0 No Pro Services FALSE
cost-3 Internal setup and testing RBC Bank $1,500 $24,000 $72,000 Wage-based - Sys Engineer x 2 - 1-12 week, ML 4 weeks FALSE
cost-4 Internal initial security review $1,500 $2,800 $5,600 Wage-based - Security Analyst x 1 FALSE
cost-5 Ongoing maintenance and systems administration $1,500 $3,000 $4,000 Wage-based - Sys Engineer x 1 - 1 to 8 weeks ML 2 TRUE

Costs include product purchase costs based on the quote provided by the vendor as well as the system administrator wage plus benefits times the estimated hours required to test and implement the product. The same wage and benefit calculation is used for ongoing systems administration maintenance of the product and review by security analysts.

Scenarios

Scenarios Table
UID Assets at risk Containers/Points of attack Threat communities Threat Types Effects Scenario
Risk-1 Non Public Information (NPI) Other devices on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately confidentiality privileged insiders (RBC Bank US & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Other devices on Palm Domain.
Risk-2 Non Public Information (NPI) SFQ0 Risk Reporting Server Server on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately confidentiality privileged insiders (RBC Bank US & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through SFQ0 Risk Reporting Server Server on Palm Domain.
Risk-3 Non Public Information (NPI) SFQ0 Risk Reporting Server DEV Server on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately confidentiality privileged insiders (RBC Bank US & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through SFQ0 Risk Reporting Server DEV Server on Palm Domain.
Risk-4 Non Public Information (NPI) Database instance on SFQ0 Risk Reporting Server DEV privileged insiders (RBC Bank US & Vendors) deliberately confidentiality privileged insiders (RBC Bank US & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Database instance on SFQ0 Risk Reporting Server DEV.
Risk-5 Non Public Information (NPI) RBC Bank US sysadmin jump stations on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately confidentiality privileged insiders (RBC Bank US & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through RBC Bank US sysadmin jump stations on Palm Domain.
Risk-6 Non Public Information (NPI) Monitored servers on Maple Domain privileged insiders (RBC Bank US & Vendors) deliberately confidentiality privileged insiders (RBC Bank US & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple Domain.
Risk-7 Non Public Information (NPI) Monitored servers on Birch Domain privileged insiders (RBC Bank US & Vendors) deliberately confidentiality privileged insiders (RBC Bank US & Vendors) deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch Domain.
Risk-8 Non Public Information (NPI) Other devices on Palm Domain malicious software deliberately confidentiality malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Other devices on Palm Domain.
Risk-9 Non Public Information (NPI) SFQ0 Risk Reporting Server Server on Palm Domain malicious software deliberately confidentiality malicious software deliberately impact the confidentiality of Non Public Information (NPI) through SFQ0 Risk Reporting Server Server on Palm Domain.
Risk-10 Non Public Information (NPI) SFQ0 Risk Reporting Server DEV Server on Palm Domain malicious software deliberately confidentiality malicious software deliberately impact the confidentiality of Non Public Information (NPI) through SFQ0 Risk Reporting Server DEV Server on Palm Domain.
Risk-11 Non Public Information (NPI) Database instance on SFQ0 Risk Reporting Server DEV malicious software deliberately confidentiality malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Database instance on SFQ0 Risk Reporting Server DEV.
Risk-12 Non Public Information (NPI) RBC Bank US sysadmin jump stations on Palm Domain malicious software deliberately confidentiality malicious software deliberately impact the confidentiality of Non Public Information (NPI) through RBC Bank US sysadmin jump stations on Palm Domain.
Risk-13 Non Public Information (NPI) Monitored servers on Maple Domain malicious software deliberately confidentiality malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple Domain.
Risk-14 Non Public Information (NPI) Monitored servers on Birch Domain malicious software deliberately confidentiality malicious software deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch Domain.
Risk-15 Non Public Information (NPI) Other devices on Palm Domain external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Other devices on Palm Domain.
Risk-16 Non Public Information (NPI) SFQ0 Risk Reporting Server Server on Palm Domain external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of Non Public Information (NPI) through SFQ0 Risk Reporting Server Server on Palm Domain.
Risk-17 Non Public Information (NPI) SFQ0 Risk Reporting Server DEV Server on Palm Domain external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of Non Public Information (NPI) through SFQ0 Risk Reporting Server DEV Server on Palm Domain.
Risk-18 Non Public Information (NPI) Database instance on SFQ0 Risk Reporting Server DEV external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Database instance on SFQ0 Risk Reporting Server DEV.
Risk-19 Non Public Information (NPI) RBC Bank US sysadmin jump stations on Palm Domain external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of Non Public Information (NPI) through RBC Bank US sysadmin jump stations on Palm Domain.
Risk-20 Non Public Information (NPI) Monitored servers on Maple Domain external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Maple Domain.
Risk-21 Non Public Information (NPI) Monitored servers on Birch Domain external attackers deliberately confidentiality external attackers deliberately impact the confidentiality of Non Public Information (NPI) through Monitored servers on Birch Domain.
Risk-22 Non Public Information (NPI) Other devices on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately availability privileged insiders (RBC Bank US & Vendors) deliberately impact the availability of Non Public Information (NPI) through Other devices on Palm Domain.
Risk-23 Non Public Information (NPI) SFQ0 Risk Reporting Server Server on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately availability privileged insiders (RBC Bank US & Vendors) deliberately impact the availability of Non Public Information (NPI) through SFQ0 Risk Reporting Server Server on Palm Domain.
Risk-24 Non Public Information (NPI) SFQ0 Risk Reporting Server DEV Server on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately availability privileged insiders (RBC Bank US & Vendors) deliberately impact the availability of Non Public Information (NPI) through SFQ0 Risk Reporting Server DEV Server on Palm Domain.
Risk-25 Non Public Information (NPI) Database instance on SFQ0 Risk Reporting Server DEV privileged insiders (RBC Bank US & Vendors) deliberately availability privileged insiders (RBC Bank US & Vendors) deliberately impact the availability of Non Public Information (NPI) through Database instance on SFQ0 Risk Reporting Server DEV.
Risk-26 Non Public Information (NPI) RBC Bank US sysadmin jump stations on Palm Domain privileged insiders (RBC Bank US & Vendors) deliberately availability privileged insiders (RBC Bank US & Vendors) deliberately impact the availability of Non Public Information (NPI) through RBC Bank US sysadmin jump stations on Palm Domain.
Risk-27 Non Public Information (NPI) Monitored servers on Maple Domain privileged insiders (RBC Bank US & Vendors) deliberately availability privileged insiders (RBC Bank US & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple Domain.
Risk-28 Non Public Information (NPI) Monitored servers on Birch Domain privileged insiders (RBC Bank US & Vendors) deliberately availability privileged insiders (RBC Bank US & Vendors) deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch Domain.
Risk-29 Non Public Information (NPI) Other devices on Palm Domain malicious software deliberately availability malicious software deliberately impact the availability of Non Public Information (NPI) through Other devices on Palm Domain.
Risk-30 Non Public Information (NPI) SFQ0 Risk Reporting Server Server on Palm Domain malicious software deliberately availability malicious software deliberately impact the availability of Non Public Information (NPI) through SFQ0 Risk Reporting Server Server on Palm Domain.
Risk-31 Non Public Information (NPI) SFQ0 Risk Reporting Server DEV Server on Palm Domain malicious software deliberately availability malicious software deliberately impact the availability of Non Public Information (NPI) through SFQ0 Risk Reporting Server DEV Server on Palm Domain.
Risk-32 Non Public Information (NPI) Database instance on SFQ0 Risk Reporting Server DEV malicious software deliberately availability malicious software deliberately impact the availability of Non Public Information (NPI) through Database instance on SFQ0 Risk Reporting Server DEV.
Risk-33 Non Public Information (NPI) RBC Bank US sysadmin jump stations on Palm Domain malicious software deliberately availability malicious software deliberately impact the availability of Non Public Information (NPI) through RBC Bank US sysadmin jump stations on Palm Domain.
Risk-34 Non Public Information (NPI) Monitored servers on Maple Domain malicious software deliberately availability malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple Domain.
Risk-35 Non Public Information (NPI) Monitored servers on Birch Domain malicious software deliberately availability malicious software deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch Domain.
Risk-36 Non Public Information (NPI) Other devices on Palm Domain external attackers deliberately availability external attackers deliberately impact the availability of Non Public Information (NPI) through Other devices on Palm Domain.
Risk-37 Non Public Information (NPI) SFQ0 Risk Reporting Server Server on Palm Domain external attackers deliberately availability external attackers deliberately impact the availability of Non Public Information (NPI) through SFQ0 Risk Reporting Server Server on Palm Domain.
Risk-38 Non Public Information (NPI) SFQ0 Risk Reporting Server DEV Server on Palm Domain external attackers deliberately availability external attackers deliberately impact the availability of Non Public Information (NPI) through SFQ0 Risk Reporting Server DEV Server on Palm Domain.
Risk-39 Non Public Information (NPI) Database instance on SFQ0 Risk Reporting Server DEV external attackers deliberately availability external attackers deliberately impact the availability of Non Public Information (NPI) through Database instance on SFQ0 Risk Reporting Server DEV.
Risk-40 Non Public Information (NPI) RBC Bank US sysadmin jump stations on Palm Domain external attackers deliberately availability external attackers deliberately impact the availability of Non Public Information (NPI) through RBC Bank US sysadmin jump stations on Palm Domain.
Risk-41 Non Public Information (NPI) Monitored servers on Maple Domain external attackers deliberately availability external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Maple Domain.
Risk-42 Non Public Information (NPI) Monitored servers on Birch Domain external attackers deliberately availability external attackers deliberately impact the availability of Non Public Information (NPI) through Monitored servers on Birch Domain.

42 loss scenarios were independantly considered given Plan A, B, and C controls.

Expected Loss Per Scenario

Inputs Summary

Inputs Summary
…1 min avg 75th ptile max Rng
Plan A Loss Event Frequency (LEF) Lower Bound $0 $0 $0 $0 $0
Plan A Loss Event Frequency (LEF) Most Likely $0 $0 $0 $0 $0
Plan A Loss Event Frequency (LEF) Upper Bound $0 $0 $0 $0 $0
Plan A Loss Magnitude (LM) Lower Bound $5,000 $5,000 $5,000 $5,000 $5,000
Plan A Loss Magnitude (LM) Most Likely $200,000 $200,000 $200,000 $200,000 $200,000
Plan A Loss Magnitude (LM) Upper Bound $10,000,000 $10,000,000 $10,000,000 $10,000,000 $10,000,000
Plan B Initial Control Cost Lower Bound $200 $200 $200 $200 $200
Plan B Initial Control Cost Most Likely $500 $500 $500 $500 $500
Plan B Initial Control Cost Upper Bound $3,000 $3,000 $3,000 $3,000 $3,000
Plan B Recurring Control Cost Lower Bound $0 $0 $0 $0 $0
Plan B Recurring Control Cost Most Likely $0 $0 $0 $0 $0
Plan B Recurring Control Cost Upper Bound $0 $0 $0 $0 $0
Plan B Loss Event Frequency (LEF) Lower Bound $0 $0 $0 $0 $0
Plan B Loss Event Frequency (LEF) Most Likely $0 $0 $0 $0 $0
Plan B Loss Event Frequency (LEF) Upper Bound $0 $0 $0 $0 $0
Plan B Loss Magnitude (LM) Lower Bound $5,000 $5,000 $5,000 $5,000 $5,000
Plan B Loss Magnitude (LM) Most Likely $200,000 $200,000 $200,000 $200,000 $200,000
Plan B Loss Magnitude (LM) Upper Bound $10,000,000 $10,000,000 $10,000,000 $10,000,000 $10,000,000
Plan C Initial Control Cost Lower Bound $3,000 $3,000 $3,000 $3,000 $3,000
Plan C Initial Control Cost Most Likely $10,000 $10,000 $10,000 $10,000 $10,000
Plan C Initial Control Cost Upper Bound $50,000 $50,000 $50,000 $50,000 $50,000
Plan C Recurring Control Cost Lower Bound $0 $0 $0 $0 $0
Plan C Recurring Control Cost Most Likely $0 $0 $0 $0 $0
Plan C Recurring Control Cost Upper Bound $0 $0 $0 $0 $0
Plan C Loss Event Frequency (LEF) Lower Bound $0 $0 $0 $0 $0
Plan C Loss Event Frequency (LEF) Most Likely $0 $0 $0 $0 $0
Plan C Loss Event Frequency (LEF) Upper Bound $0 $0 $0 $0 $0
Plan C Loss Magnitude (LM) Lower Bound $5,000 $5,000 $5,000 $5,000 $5,000
Plan C Loss Magnitude (LM) Most Likely $200,000 $200,000 $200,000 $200,000 $200,000
Plan C Loss Magnitude (LM) Upper Bound $10,000,000 $10,000,000 $10,000,000 $10,000,000 $10,000,000
Benefits Lower Bound $30 $30 $30 $30 $30
Benefits Most Likely $2,000 $2,000 $2,000 $2,000 $2,000
Benefits Upper Bound $171,875 $171,875 $171,875 $171,875 $171,875
Known Costs Lower Bound $0 $0 $0 $0 $0
Known Costs Most Likely $0 $0 $0 $0 $0
Known Costs Upper Bound $0 $0 $0 $0 $0

ECDF


The ECDF View RBC Bank US

Density


The Density View RBC Bank US

Violin


The Violin Review RBC Bank US

Swarm


The Swarm View RBC Bank US

Box


The Box View RBC Bank US


Ridge

The Ridge View RBC Bank US

Journal

Risk Model Journal

Journal of events related to this particular risk model.
Date Type Summary Detail Journaler
2020-05-22 Initialization Model initialized Scott Mathis, CPA, CISA & CISSP
2020-05-23 Delivery Report provided to CISO. Scott Mathis, CPA, CISA & CISSP
2020-05-24 Approval CISO approval of risk modeled, provided requested revisions are made and all controls of “Plan B” are implemented. Scott Mathis, CPA, CISA & CISSP
2020-05-30 Pre-approved updates CISO revisions made. Scott Mathis, CPA, CISA & CISSP
2022-05-23 Updates Model updated. Scott Mathis, CPA, CISA & CISSP
2022-05-23 Delivery Report provided to CISO. Scott Mathis, CPA, CISA & CISSP
2022-05-23 Approval CISO approval of risk modeled, provided requested revisions are made and all controls of “Plan C” are implemented. Scott Mathis, CPA, CISA & CISSP
2022-05-23 Pre-approved updates CISO Revisions Made. Scott Mathis, CPA, CISA & CISSP

Method

Methodology Criteria

A risk analysis should meet local, city, state, federal, and international compliance criteria and yield a corresponding risk assessment report. The criteria and objective of this analysis is as follows:

  1. To create a list of threats that the entity may become exposed to as a result of the changes presented in discussion with stakeholders.
  2. To communicate the estimated probability and impact of such threats.
  3. To create a list of controls/mitigation strategies that may reduce the probability, impact or uncertainty of the listed threats.
  4. To communicate the measure of how much the probability, impact or uncertainty of the listed threats is modified by the controls/mitigation strategies considered.
  5. To communicate the benefit of controls under consideration and costs associated with them.

Methodology Standardization & Interoperability

The taxonomy chosen is based on Open Group’s Factor Analysis of Information Risk (FAIR) standard, an open and independent information risk analysis methodology. This ensures transparency, continuity, and interoperability with other major standards.

The Open Group is an industry consortium that facilitates business objectives by developing open, vendor-neutral technology standards and certifications.The Open Group published two Open FAIR standards that form the risk taxonomy followed:

The FAIR Institute maintains publicly available documentation, resources, community events and other modes of promotion, training, and collaboration.

Deviations from Standard

The methodology used for this assessment deviates from published standards where those standards deviate from scientifically rigorous literature that meets the following criteria:

An annotated review of the scientific literature supporting each component of this methodology may be found here.

Methodology

Scope definition, estimate parameters and commentary are collected using a format comfortable to most users, a spreadsheet. A companion spreadsheet is provided with this tool which is interoperable with major spreadsheet rendering software such as Microsoft Office Excel and Google Sheets. The only variable that needs to be entered into this tool is the address or filepath to the companion spreadsheet containing the scope components, estimate parameters, and desired commentary.

companion spreadsheet opened in Google Sheets.

companion spreadsheet opened in Microsoft Excel.

Data is collected in the form of interviews, documentation review, and/or receptor-based discovery scanning in order to define the scope of the assessment. Abstractions of the components within scope are categorized into areas: Assets, Containers / Points of Attack, Agent / Threat Communities, Threat Types, and Threat Effects.

NOTICE: Each column is an independent list. i.e. the contents of rows do not relate to each other.

Scenario Building

Loss scenarios are generated by exhausting all combinations of the components identified as in scope. Implausible scenarios are removed e.g. non-malicious malware. Scenario components are strung together to form the respective scenario.

Parameter Definition

Probability and impact parameters are defined from the integration of data and calibrated subject matter experts for each of the loss scenarios. Predefined distribution parameters and/or hyper-parameters of a loss event are used where they are available and credible.

To take advantage of a person’s natural Bayesian tendencies, calibration questions and responses take the form of frequency formats instead of percentages or fractions.

Frequency formats communicate information to experts in a form that more closely resembles the natural sampling observed in animal foraging and neural networks. What is 1% in standard format would be “1 in 100” in frequency format.

Control Planning

This risk assessment tool facilitates the comparison of different combinations of controls that may reduce the probability, impact, or uncertainty of loss events. The tool calls the first theoretical combination of loss events and controls “Plan-A”. Plan-A represents the absence of any controls in order to establish a baseline or “inherent risk”. Plan-B is the second combination of controls. This is where analysts may list controls that are in place and additional controls that they are considering implementing. Plan C is where the analyst would enter an alternative set or combination of controls which require comparison.

After controls have been entered as column headers under “Controls” the check boxes are used to indicate which loss scenarios that control effects.

e.g. The “Malware scans nightly” control is an applicable control to the Threat Community entries that contain “malicious software”.

Simulation

Monte Carlo Simulation is used to generate a dataset using the parameters provided. The simulations consist of at least 10,000 variations of each loss scenario.

Analysis

The resulting approximating dataset is then analyzed using appropriate statistical methodologies.

Reporting / Communication

Background and scope may be communicated alone or alongside visuals by entering the desired text into the respective sections in the Commentary tab of the spreadsheet.

After analysis has concluded, conclusions and recommendations may also be communicated alone or alongside visuals by entering the desired text into the respective sections of the Commentary tab of the companion spreadsheet.

Col2

Print

Table of Contents to sections here - Todo []

Print friendly contents here - Todo []